Panel favors widening scope of data law

The panel’s report, which was tabled in Parliament on Thursday, recommended a phased implementation and a two-year transition period for compliance with the new law.

The committee recommended setting up of a statutory authority to regulate social media platforms on the lines of the Press Council of India. It also suggested imposition of fines in cases of violation of rules, keeping startups and small entities out of the purview.

Panel chairman PP Choudhary said the committee has suggested “adequate safeguards” to protect personal privacy, but it cannot override national security.

“When there is a conflict between national security and personal privacy, it is a declared policy of our country according to the Constitution that the nation comes first and personal privacy comes second,” he said, adding that in one such instance, the government It can order agencies to process data of any person without permission.

As per the recommendations, the central government will have full authority to direct the Data Protection Authority (DPA) on all issues. It can exempt any government agency from the purview of the Act subject to a just, fair, fair and proportional process.

The move to keep government agencies out of the purview has been opposed by lawmakers from opposition parties who have filed their dissent notes.

The panel, in its 542-page report, has suggested regulating content on social media platforms and creating platforms that are not responsible for the content published by them, including unverified accounts. Further, only social media platforms that set up offices locally will be allowed to operate in India.

Once enacted as a law, this bill will replace all other laws relating to data protection in India. “What I am excited about is that the draft has made it a data protection law and not a personal data protection law,” said Supreme Court lawyer and cyber law expert NS Nappinai.

The committee recommended that all data related issues be dealt with by the DPA as a single administrative and regulatory body to prevent conflicts, confusion and mismanagement.

Keeping in mind the data security for all devices including IoT devices, the panel suggested regulation of hardware manufacturers by DPA, proper certification of players with proper testing laboratory facilities. In addition, the Data Protection Bill places liability on data fiduciaries that process personal data of children. The JPC has removed the provisions of ‘guardian data trustee’ in the draft bill, while keeping the age of consent for data use at 18 years, terming it unnecessary.

Nappinai said it is good that JPC has put a complete ban on companies profiling children, rather than limiting it to just “parental data fiduciaries”, as was done in the draft Personal Data Protection Bill in 2019.

The committee suggested a staggered approach to imposing penalties depending on the severity of the violation and the size of the unit. If an entity does not take prompt action in case of data breach, does not register with the DPA, does not conduct impact assessment, conduct data audit or appoint a data protection officer or DPO, the maximum penalty will be imposed on it. May go 5 crore or 2% of its global revenue, whichever is higher.

For serious cases of violation, the penalty will be maximum 15 crore or 4% of global revenue, whichever is higher. “Startups and small data fiduciaries engaged in innovation and R&D need to be considered separately,” the panel said.

The committee recommended that all social media platforms that do not act as intermediaries should be treated as publishers and held accountable for the data they host. In addition, a mechanism should be put in place where social media platforms, which do not act as intermediaries, should be held accountable for content from unverified accounts on their platforms. “Once the application for verification along with the required documents is submitted, the social media intermediaries will mandatorily verify the account,” the report said.